Skip to content

Spark allows remote attackers to read arbitrary files via a .. (dot dot) in the URI

High severity GitHub Reviewed Published Oct 4, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

maven com.sparkjava:spark-core (Maven)

Affected versions

< 2.5.2

Patched versions

2.5.2

Description

Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

References

Published to the GitHub Advisory Database Oct 4, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2016-9177

GHSA ID

GHSA-89gc-6cw6-4vch

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.